In this blog, I describe how you can use Oracle CCG to comply with the COSO and CobiT 4.1 Control Objectives including:

• Manage the Configuration
• Manage Changes

Manage the Configuration

Oracle Configuration Controls Governor (CCG) 5.5.1 provides you with the functionality you need to “Manage the Configuration” to comply with:

• COSO IT Control Objectives (for Sarbanes-Oxley)
• CobiT 4.1
• Using CCG 5.5.1 to Manage the Configuration

COSO IT Control Objective – Manage the Configuration

Controls provide reasonable assurance that IT components, as they relate to security and processing, are well protected, would prevent any unauthorized changes, and assist in the verification and recording of the current configuration

Rationale

Configuration management includes procedures such that security and processing integrity controls are set up in the system and maintained through its life cycle. Insufficient configuration controls can lead to security exposures that may permit unauthorized access to systems and data and impact financial reporting. An additional potential risk is corruption to data integrity caused by poor control of the configuration when making system changes or by the introduction of unauthorized system components.

CobiT 4.1 Control Objective – Manage the Configuration

Ensuring the integrity of hardware and software configurations requires the establishment and maintenance of an accurate and complete configuration repository. This process includes collecting initial configuration information, establishing baselines, verifying and auditing configuration information, and updating the configuration repository as needed. Effective configuration management facilitates greater system availability, minimizes production issues and resolves issues more quickly.

DS9.1 Configuration Repository and Baseline

Establish a supporting tool and a central repository to contain all relevant information on configuration items. Monitor and record all assets and changes to assets. Maintain a baseline of configuration items for every system and service as a checkpoint to which to return after changes.

DS9.2 Identification and Maintenance of Configuration Items

Establish configuration procedures to support management and logging of all changes to the configuration repository. Integrate these procedures with change management, incident management and problem management procedures.

DS9.3 Configuration Integrity Review

Periodically review the configuration data to verify and confirm the integrity of the current and historical configuration. Periodically review installed software against the policy for software usage to identify personal or unlicensed software or any software instances in excess of current license agreements. Report, act on and correct errors and deviations.

Using Oracle CCG 5.5.1 to Manage the Configuration

You can use Oracle CCG 5.5.1 to take snapshot definitions of your approved “baseline” application configuration for each Oracle application.  Similarly, you can generate snapshot definitions of your Oracle applications and compare them with your “baseline” snapshots to ensure that the current configuration is consistent with your “baseline” configuration.

Manage Changes

Oracle Configuration Controls Governor (CCG) 5.5.1 provides you with the functionality you need to Manage Changes to comply with:

• COSO IT Control Objectives (for Sarbanes-Oxley)
• CobiT 4.1
• Using Oracle CCG 5.5.1 to Manage Changes

COSO IT Control Objective – Manage Changes

Controls provide reasonable assurance that system changes of financial reporting significance are authorized and appropriately tested before being moved to production.

Rationale

Managing changes addresses how an organization modifies system functionality to help the business meet its financial reporting objectives. Deficiencies in this area could significantly impact financial reporting. For instance, changes to the programs that allocate financial data to accounts require appropriate approvals and testing prior to the change so that proper classification and reporting integrity is maintained.

CobiT 4.1 Control Objective – Manage Changes

AI6.1 Change Standards and Procedures

Set up formal change management procedures to handle in a standardized manner all requests (including maintenance and patches) for changes to applications, procedures, processes, system and service parameters, and the underlying platforms.

AI6.2 Impact Assessment, Prioritization and Authorization

Assess all requests for change in a structured way to determine the impact on the operational system and its functionality. Ensure that changes are categorized, prioritized and authorized.

AI6.3 Emergency Changes

Establish a process for defining, raising, testing, documenting, assessing and authorizing emergency changes that do not follow the established change process.

AI6.4 Change Status Tracking and Reporting

Establish a tracking and reporting system to document rejected changes, communicate the status of approved and in-process changes, and complete changes. Make certain that approved changes are implemented as planned.

AI6.5 Change Closure and Documentation

Whenever changes are implemented, update the associated system and user documentation and procedures accordingly

Using Oracle CCG 5.5.1 to Manage Changes

You can use the Change Tracking Details reports in Oracle CCG 5.5.1 to identify all changes made to the Oracle application configuration parameters.  Similarly, you can use these reports to ensure that each change has been processed properly through the Change Management Process.

“Manage Changes” is one of the COSO and CobiT 4.1 Control Objectives.  The Control Objectives for Manage Changes are described in the CobiT process A16 Manage Changes.  You can use Oracle CCG 5.5.1 to facilitate compliance with this CobiT Control Objective.
Once you “Deploy” the Change Tracking Definitions, Oracle CCG 5.5.1 tracks EVERY change that a user makes to any object included in the definition.  You can review the complete detailed history of changes online and/or generate reports in HTML, PDF and CSV formats.  Moreover, you can review the history of changes from the date and time that you first deploy the Change Tracking Definitions through the date and time that you purge Change Tracking Data.

In this blog, I provide you with a couple of examples of how a Customer can use Oracle CCG 5.5.1 to reduce IT expenses:

• Responding to Requests from External Auditors
• Performing IT Security and Compliance Activities

Responding to Requests from External Auditors

Customer’s IT staff spends a significant amount of time each year responding to requests from its external auditors for information that the external auditors need to complete their review of Customer’s Internal Controls and audit of Customer’s Financial Statements.  Many of these requests require Customer’s IT staff to answer questions regarding the configuration of the Oracle Financial applications and changes to these configuration parameters.

Currently, the IT staff generally writes and/or executes multiple queries to provide the documentation required by its external auditors.  This is a very time consuming task and diverts IT resources from performing their core activities.
Customer’s IT staff can minimize the time required to respond to requests from their external auditors and spend more time working on their core activities by using Oracle CCG to provide the external auditors with snapshot definition occurrences generated on a specific date and time and compare them with the same snapshot definitions generated on a subsequent date and time to quickly identify the differences in configuration parameters between the two snapshot definitions.  Similarly, Customer’s IT staff and generate Change Tracking Details for one or more application configuration objects to provide its external auditors with a detailed history of all changes made to these objects during a specific period of time.  This functionality can significantly reduce the time it takes the IT staff to manually create and generate the queries required to provide this information to the auditors.

Performing IT Security and Compliance Activities

Customer’s IT Security and Compliance Team can save time completing their security and compliance activities by comparing snapshot definitions with “baseline” snapshot definitions to ensure continued compliance with the approved “baseline”.  Similarly, this team can generate Change Tracking Details reports to ensure that all changes have been process properly using the approve Change Management Procedures.
Currently, the IT Security and Compliance Team must employ manual methods to identify the differences between the actual configuration parameters and the approved “baseline”.  Moreover, the current process to identify the individual changes to “baseline” configuration parameters is a very time consuming manual process.

 

All organizations would like to be able to reduce the cost associated with the implementation and/or upgrade of the Oracle applications.  These costs generally range from several hundred thousand dollars several million dollars depending on the scope and complexity of the Oracle implementation.

The majority of the cost to implement Oracle application is associated with consulting fees.  An Oracle implementation is very labor intensive; therefore, anything that you can do to minimize the use of Oracle consultants and/or make them more efficient usually results in a significant reduction of implementation costs.

You can effectively use Oracle Configuration Controls Governor (CCG) throughout the Software Development Life Cycle (SDLC) to help reduce IT costs. I have listed some of the ways that you can employ CCG to realize these savings. For example, you can use Snapshot Definitions to:

• Facilitate SR Resolution
• Document Baseline Configuration
• Facilitate Merger and Acquisition (M&A) Activities
• Monitor Changes Made by Patches
• Before Refreshing an Instance

Facilitate SR Resolution

When you submit a SR to Oracle Support to report an issue or a suspected bug in the program, Oracle often responds with a request for screen prints that document the issue.  Often this includes documentation of profile options and other configuration parameters. 

Many times, several consultants working on the implementation are not able to be as productive as they normally would be while they wait for the SR to be resolved.  For example, during integration testing, the Payables team is dependent on the Purchasing team to complete their setup and tests before Payables can test the integration with Purchasing.

You can save time and consequently reduce implementation costs by providing Oracle support with snapshot definitions that document profile options and other setup parameters that Oracle Support requires to quickly resolve an issue.

Document Baseline Configuration

Most Oracle consulting firms use a SDLC methodology that requires the consultants who implement the Oracle applications to document the setup (i.e. configuration parameters) of these applications.  For example, Oracle and many other Oracle consulting firms use Oracle Application Implementation Method (AIM) to prepare a BR100 to document the “baseline” configuration of the Oracle applications. 

This is a very time consuming process and consultants usually spend several hours over an extended period of time to complete the documentation.  Also, this is a manual effort, which is prone to human error.

You can use Oracle Configuration Controls Governor (CCG) to define snapshot definitions to document your “baseline” configuration of each Oracle application.  This process eliminates human error and takes a “snapshot” of your application configuration parameters at a specific point in time.  Thus, you eliminate the need to manually prepare documents such as the BR100 to complete this task.

Using CCG and GRCM to Create BR100s

First, create a BR100-like framework in Oracle GRC Manager. Enter your business requirements into the framework, and import the setup data that’s captured by CCG. Then, add your comments in the framework as desired, and take any needed compensating, remediating, or mitigating steps. If you’re wondering why CCG doesn’t let you annotate the setup data it captures, it’s because that would be at odds with a key GRC best practice: providing a single point of interaction between GRC users and all the data they need to make good decisions. Only solutions like GRCM and GRCI permit that holistic view, and only solutions like GRCM permit the automation of policies and workflows that rely on data from multiple sources, CCG being just one.

Facilitate Mergers and Acquisitions (M&A) Activities

In today’s business environment many companies that use Oracle the Oracle E-Business Suite (EBS) merge with and/or acquire other companies.  As part of the M&A process, these companies may have to integrate the newly acquired entities with the existing EBS.  Normally, this requires that the new entities be defined as additional Operating Units, added to an existing Set of Books or defined with a new Set of Books.

You can use the snapshot definitions generated by Oracle Configuration Controls Governor (CCG) to effectively and efficiently integrate newly acquired entities with your existing Oracle EBS.  Moreover, after you complete the setup of these new entities, you can use snapshot comparisons to ensure that you have configured these new entities properly.

Monitor Changes Made by Patches

Database Administrators (DBAs) frequently apply patches to the Oracle applications.  Generally, the DBA initially applies the patch to a patch, test or development instance applying the patch to the production instance.  Oracle implementation consultants and/or users are requested to “test” the functionality in their respective applications to ensure that the patch hasn’t “broken” anything.

Testing is a manual effort and most times the testing that is done is not very thorough.  You can save time and minimize the risk that a patch has changed something unexpectedly by taking a snapshot before and after the patch is applied and comparing the snapshots for differences in the configuration parameters.  You can then investigate the differences to ensure that they changes in the configuration are valid.

Before Refreshing an Instance

Organizations continually refresh databases due to limited system resources or other business requirements.  After the refresh, users sometimes find that functionality in the new instance is not the same as it had been before the refresh.

You can save time and frustration by taking snapshots before and after the refresh, which you can compare and identity any differences between configuration parameters before and after the database was refreshed.